Absent Member.
Absent Member.
8855 views

Different number of issues found depending on scan method

Jump to solution

Hi, if I scan a .net solution using the Fortify IDE plugin, I get a different number of issues to a scan of the solution using audit workbench or the commandline. This is causing us problems as the developers are not seeing issues to fix that our CI build is finding. Why is there a difference?

Is there anyway to configure the IDE scan so that it reports the same issues as the AWB or commandline scans?

Thanks

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

Hi Dave, when scanning from AWB are you selecting the "Visual Studio Build Integration..." option? And when scanning from command line are you using "sourceanalyzer -b BuildID devenv etc etc"? If so the translation and scan should be the same. As in all 3 cases, AWB/CLI and IDE, we're using SCA's integration with devenv to translate the code.

I'd recommend opening a case with the Fortify Support folks for this - either through https://support.fortify.com or dropping an email to fortifytechsupport@hp.com. Please specify the -debug -logfile <path to log> options to the translation (through HP Fortify -> Options -> Project Settings -> Advanced Scan Options in the IDE), and provide the subsequent logs and the full output from the CLI and the VS output panes. This should allow us to see what's happening differently between the two scans.

Apologies I don't have an immediate answer to this, but the output and logs should give us a much better picture as to what's going on. Just let me know if you have any queries.

View solution in original post

0 Likes
3 Replies
Absent Member.
Absent Member.

Hi Dave, when scanning from AWB are you selecting the "Visual Studio Build Integration..." option? And when scanning from command line are you using "sourceanalyzer -b BuildID devenv etc etc"? If so the translation and scan should be the same. As in all 3 cases, AWB/CLI and IDE, we're using SCA's integration with devenv to translate the code.

I'd recommend opening a case with the Fortify Support folks for this - either through https://support.fortify.com or dropping an email to fortifytechsupport@hp.com. Please specify the -debug -logfile <path to log> options to the translation (through HP Fortify -> Options -> Project Settings -> Advanced Scan Options in the IDE), and provide the subsequent logs and the full output from the CLI and the VS output panes. This should allow us to see what's happening differently between the two scans.

Apologies I don't have an immediate answer to this, but the output and logs should give us a much better picture as to what's going on. Just let me know if you have any queries.

View solution in original post

0 Likes
Absent Member.
Absent Member.

Hi Simon,

Thanks for your response.

I wasn't aware of the Visual Studio Build Integration option in AWB. So, I tried that and I get a message that a Problem Occurred. It says:

Scanning has encountered a problem. Error running progress Error running scan.

The command line option run as part of our Continuous Integration process doesn't use devenv as Visual Studio is not installed on the server. The code is built using MSBuild and then translated and scanned using SourceAnalyzer.

Is the use of devenv in the commandline the only way to get the scans the same? We wanted to avoid installing Visual

Studio on the server if possible.

I will send an email to fortifytechsupport as you suggested. Where would the log file detailing the AWB error be located?

Thanks again.

Dave

0 Likes
Absent Member.
Absent Member.

Ah, I believe the current MSBuild support doesn't include the .aspx (or any pre-compiled output) - while the devenv scanning will. We do have a bugfix request open for this which is currently scheduled to be resolved in our next release (subject to change).

In the meantime the Support folks should hopefully be able to help with any potential workarounds - it may be that we can do a build and then scan the output directly. Feel free to point Support to this thread or ask them to ping me to discuss.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.